v0.1.3 — vulndb library, --enrich pipeline, CI hardening

First release where the source tree, git tag, and GitHub release page agree on the same version. Closes a 10-month gap where tags advanced past the v0.0.2 release artifact without a published release matching.

New features

• libs/vulndb — OSV.dev cross-reference + auto-VEX emission. New CLI verbs euxis vulndb query <PURL> (direct OSV lookup, returns BlockingFindings exit code on High/Critical) and euxis vulndb sync. (#86)
• euxis sbom --enrich — cross-reference SBOM components against OSV.dev and auto-emit VexStatement{Affected}. (#88)
• euxis check --enrich — runs the SBOM/OSV.dev cross-reference inline before the verify-everything playbook, writes euxis-vex.openvex.json next to the verdict. Failure is non-fatal. (#91)

Real bug fixes

• Coroutine reference-parameter UB in IStreamingProvider + the three concrete providers (Claude / OpenAI / Gemini). The signatures took const std::string& model, const std::string& prompt; C++ coroutines don't extend reference parameter lifetimes across suspensions. ASan caught the dangling stack reads on Ubuntu GCC 14 as json::exception.type_error.316 with varying high-bit bytes. Same bug class as the earlier session_store::stream_episodes fix. (#100, closes #95)
• IterationBudget::refund precondition — contradicted the documented "returns false if full" contract; aborted the contracts pilot on full budget. (#99)
• RegistryClientCacheTest heap-use-after-free — held a const char* from std::getenv across a setenv (which reallocs the environ block). Snapshot to std::optional<std::string>. (#89)
• Daemon-child race in InfraCmdTest — fixture's remove_all raced with the spawned daemon's writes. Now stops the daemon before TearDown. (#89)

Build + CI

• Drop the import std; pilot from default builds (toolchain gap on AppleClang 21 / Homebrew LLVM 22)
• Switch libs/platform/src/execution_backend.cpp from fork + execvp to posix_spawnp (modern atomic spawn primitive)
• Apple Clang as the macOS toolchain (Homebrew LLVM 22 + GitHub SDK proved incompatible)
• std::jthread → std::thread + std::atomic<bool> across 4 sites (Apple Clang libc++ hasn't shipped <stop_token> as of 2026-06)
• \$\{CMAKE_CXX_COMPILER_ID\} IMPORTED-target guard in euxis_relax_thirdparty_warnings (Ubuntu apt-installed deps)
• Wno-pre-c++2b-compat + Wno-unknown-warning-option for the multi-arg subscript operator
• Drop macos-13 (Intel) from CI — GitHub's Intel runner pool starvation blocks merges

Distribution

• One-liner install.sh for Linux + macOS, all four arch tuples
• Homebrew tap formula at scripts/release/Formula/euxis.rb (copy into sebastienrousseau/homebrew-tap after this release)
• .deb + .rpm packages (#85)

Documentation

• 10-minute Getting Started tour with real doctor / vulndb query / sbom --enrich output (#90)
• Three launch-week blog drafts in docs/blog/ ready for publication (#87)
• README rewrites in noyalib style (31 files)
• docs/development/quality-gates-baseline.md + restored .clang-tidy security check set

Known limitations

• ExecLocalBackendTest.* (5 cases) are guarded with EUXIS_SKIP_EXEC_ON_LINUX on Linux — GitHub Actions ubuntu-24.04 runner rejects every form of execve from forked test children with EPERM regardless of code path. Library code verified correct on macOS Apple Clang under ASan/UBSan (10/10 pass). See #96 for the full investigation.

Install

```bash
curl -fsSL https://raw.githubusercontent.com/sebastienrousseau/euxis/v0.1.3/scripts/release/install.sh | sh
```

Or build from source: see `docs/essentials/quick-start.md`.

What's Changed

• v0.0.3 — safety hardening, perf wins, and SDK infrastructure by @sebastienrousseau in #61
• build(deps): Bump the python-security group across 1 directory with 2 updates by @dependabot[bot] in #75
• build(deps): Bump rich from 13.9.0 to 15.0.0 in /data/config/requirements by @dependabot[bot] in #71
• build(deps): Bump chromadb from 0.5.0 to 1.5.9 in /data/config/requirements by @dependabot[bot] in #73
• chore(public-readiness): CODEOWNERS + CodeQL workflow by @sebastienrousseau in #77
• docs(security): accept chromadb risk + ignore in dependabot by @sebastienrousseau in #78
• docs: rewrite every lib/app README to the noyalib reference shape by @sebastienrousseau in #84
• build(deps): Bump serde_json from 1.0.149 to 1.0.150 in /docs/euxis-sdk by @dependabot[bot] in #63
• build(deps): Bump serde_json from 1.0.149 to 1.0.150 in /docs/examples/rust-agent by @dependabot[bot] in #64
• build(deps): Bump softprops/action-gh-release from 2 to 3 by @dependabot[bot] in #65
• build(deps): Bump actions/setup-node from 4 to 6 by @dependabot[bot] in #79
• build(deps): Bump the python-version group in /data/config/requirements with 7 updates by @dependabot[bot] in #80
• build(deps): Bump github/codeql-action from 3 to 4 by @dependabot[bot] in #81
• build(deps): Bump docker/setup-qemu-action from 3 to 4 by @dependabot[bot] in #82
• build(deps): Bump docker/build-push-action from 6 to 7 by @dependabot[bot] in #83
• build(release): one-liner install + Homebrew tap formula + .deb/.rpm packages by @sebastienrousseau in #85
• feat(vulndb): OSV.dev enrichment + auto-VEX emission by @sebastienrousseau in #86
• docs(blog): launch-week drafts in Executive Pragmatist format by @sebastienrousseau in #87
• feat(cli): wire libs/vulndb into the CLI surface by @sebastienrousseau in #88
• chore(quality): close issue #42 sanitizer gate + clang-tidy/gcovr baselines by @sebastienrousseau in #89
• docs(getting-started): ten-minute tour with real output by @sebastienrousseau in #90
• feat(cli): --enrich flag on the check pipeline by @sebastienrousseau in #91
• chore(ci): drop four dead workflows referencing removed euxis-web/ by @sebastienrousseau in #92
• chore(ci): unbreak Ubuntu builds + branding gate; align stale version docs by @sebastienrousseau in #93
• chore(version): roll docs and source back to v0.0.2 to match latest release by @sebastienrousseau in #94
• fix(ci): main green — macOS LLVM 22 header path + Linux test guards by @sebastienrousseau in #99
• chore: restore .clang-tidy gate, bump to v0.1.3, stabilise etx ctest by @sebastienrousseau in #100

Full Changelog: v0.1.2...v0.1.3